[Secure-testing-commits] r25148 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Fri Jan 10 16:41:11 UTC 2014 

Author: jmm
Date: 2014-01-10 16:41:11 +0000 (Fri, 10 Jan 2014)
New Revision: 25148

Modified:
   data/CVE/list
Log:
"new" ffmpeg/libav issues
NFUs
clean up some older TODOs


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-01-10 15:24:58 UTC (rev 25147)
+++ data/CVE/list	2014-01-10 16:41:11 UTC (rev 25148)
@@ -6761,7 +6761,7 @@
 CVE-2013-5386
 	RESERVED
 CVE-2013-5385 (The OSPF implementation in IBM i 6.1 and 7.1, and in z/OS on zSeries ...)
-	TODO: check
+	NOT-FOR-US: IBM
 CVE-2013-5384
 	RESERVED
 CVE-2013-5383 (IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 before 7.1.1.12, ...)
@@ -9180,7 +9180,6 @@
 	- systemd <unfixed> (low; bug #725357)
 	[wheezy] - systemd <not-affected> (/etc/tmpfiles.d not supported in Wheezy)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=859060
-	TODO: no useful information available yet, recheck later
 CVE-2013-4391 (Integer overflow in the valid_user_field function in ...)
 	{DSA-2777-1}
 	- systemd 204-5 (bug #725357)
@@ -9907,7 +9906,6 @@
 CVE-2013-4179 (The security group extension in OpenStack Compute (Nova) Grizzly ...)
 	- nova 2013.1.3-1
 	NOTE: CVE for incomplete fix applied for CVE-2013-1664
-	TODO: check if fix applied in #700949 was already complete
 CVE-2013-4178
 	RESERVED
 	NOT-FOR-US: GA Login Drupal contributed module
@@ -11080,7 +11078,7 @@
 CVE-2013-3710 (SUSE Lifecycle Management Server (SLMS) before 1.3.7 does not generate ...)
 	NOT-FOR-US: SUSE Lifecycle Management Server
 CVE-2013-3709 (WebYaST 1.3 uses weak permissions for ...)
-	TODO: check
+	NOT-FOR-US: WebYast
 CVE-2013-3708 (The id1.GetPrinterURLList function in Novell iPrint Client before 5.93 ...)
 	NOT-FOR-US: Novell iPrint Client
 CVE-2013-3707 (The HTTPSTK service in the novell-nrm package before ...)
@@ -11175,7 +11173,7 @@
 CVE-2013-3668
 	RESERVED
 CVE-2013-3667 (The software update mechanism as used in Bare Bones Software Yojimbo ...)
-	TODO: check
+	NOT-FOR-US: Various proprietary software updaters
 CVE-2013-3666 (The LG Hidden Menu component for Android on the LG Optimus G E973 ...)
 	NOT-FOR-US: LG Hidden Menu
 CVE-2013-3665 (Unspecified vulnerability in Autodesk AutoCAD through 2014, AutoCAD LT ...)
@@ -14681,7 +14679,6 @@
 	- nova <unfixed>
 	- quantum <unfixed>
 	- swift <not-affected> (See https://bugs.launchpad.net/keystone/+bug/1188189/comments/5)
-	TODO: check if complete and possibly report to BTS, sec announcement from upstream in preparation
 CVE-2013-2254 (The deepGetOrCreateNode function in ...)
 	NOT-FOR-US: Apache Sling
 CVE-2013-2253
@@ -19067,7 +19064,6 @@
 	- chromium-browser 24.0.1312.68-1
 	[squeeze] - chromium-browser <end-of-life>
 	- libv8 <not-affected> (bug #702261; vulnerablility was fixed by reverting to old implementation as found in version 3.8.9.20)
-	TODO: re-check uploads newer than 3.8.9.20
 CVE-2013-0835 (Unspecified vulnerability in the Geolocation implementation in Google ...)
 	- chromium-browser 24.0.1312.68-1
 	[squeeze] - chromium-browser <end-of-life>
@@ -38112,13 +38108,13 @@
 	{DSA-2289-1}
 	- typo3-src 4.5.4+dfsg1-1 (bug #635937)
 CVE-2012-0264 (op5 Monitor and op5 Appliance before 5.5.0 do not properly manage ...)
-	TODO: check
+	NOT-FOR-US: op5
 CVE-2012-0263 (monitor/index.php in op5 Monitor and op5 Appliance before 5.5.1 allows ...)
-	TODO: check
+	NOT-FOR-US: op5
 CVE-2012-0262 (op5config/welcome in system-op5config before 2.0.3 in op5 Monitor and ...)
-	TODO: check
+	NOT-FOR-US: op5
 CVE-2012-0261 (license.php in system-portal before 1.6.2 in op5 Monitor and op5 ...)
-	TODO: check
+	NOT-FOR-US: op5
 CVE-2012-0260 (The JPEGWarningHandler function in coders/jpeg.c in ImageMagick before ...)
 	{DSA-2462-1}
 	- imagemagick 8:6.7.4.0-4 (bug #667635)
@@ -41614,9 +41610,11 @@
 	- libav 4:0.8.1-1
 	- ffmpeg <removed>
 CVE-2011-3950 (The dirac_decode_data_unit function in libavcodec/diracdec.c in FFmpeg ...)
-	TODO: check
+	- libav <not-affected> (Specific to newer ffmpeg after split)
+	- ffmpeg <not-affected> (Specific to newer ffmpeg after split)
 CVE-2011-3949 (The dirac_unpack_idwt_params function in libavcodec/diracdec.c in ...)
-	TODO: check
+	- libav <not-affected> (Specific to newer ffmpeg after split)
+	- ffmpeg <not-affected> (Specific to newer ffmpeg after split)
 CVE-2011-3948
 	RESERVED
 CVE-2011-3947 (Buffer overflow in mjpegbdec.c in libavcodec in FFmpeg 0.7.x before ...)
@@ -41624,12 +41622,16 @@
 	- libav 4:0.8.1-1
 	- ffmpeg <removed>
 CVE-2011-3946 (The ff_h264_decode_sei function in libavcodec/h264_sei.c in FFmpeg ...)
-	TODO: check
+	- libav <unfixed> (unimportant)
+	- ffmpeg <removed> (unimportant)
+	NOTE: Not suitable for code injection, not treated as security issue
 CVE-2011-3945 (The decode_frame function in the KVG1 decoder (kgv1dec.c) in ...)
 	- libav 4:0.8.1-1
 	- ffmpeg <not-affected> (Vulnerable code not present)
 CVE-2011-3944 (The smacker_decode_header_tree function in libavcodec/smacker.c in ...)
-	TODO: check
+	- libav <unfixed>
+	- ffmpeg <removed>
+	NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commitdiff;h=0679cec6e8802643bbe6d5f68ca1110a7d3171da
 CVE-2011-3943
 	RESERVED
 CVE-2011-3942

More information about the Secure-testing-commits mailing list